Authentication and access control for services is usually based on proving knowledge of some sort of secret credential. Often such credentials are stored and used within a security element such as a smartcard or a device containing a secure environment (like a mobile phone with ARM TrustZone). Some security elements, like SIM (subscriber identification module) cards of mobile phones, are used for a single purpose and have fixed credentials.
There are also “blank” security elements to which credentials can be securely provisioned when needed. For example, IETF (internet engineering task force) keyprov working group is working on mechanisms to provision symmetric key credentials for security elements. DSKPP (dynamic symmetric key provisioning protocol) draft (draft-doherty-keyprov-dskpp-01.txt) discloses mechanisms for provisioning keys to a specific security element by using a public key specific to that security element.
Additionally there are general purpose security elements, which can be used to store and use different types of credentials. For example, multi-application smartcards can simultaneously contain different smartcard applications, each operating on different credentials. Secrets can be provisioned to such an application residing on a multi-application smartcard based on a symmetric key shared between the application and the provisioner of the secret. A limitation of such systems is that only those applications approved and authorized by the issuer of the smartcard can be installed and used on the smartcard. Another limitation of such provisioning is that it concerns only provisioners who have an existing security association with the security element (i.e. manufacturer of the security element or someone authorized by the manufacturer.
Thus there is room for further considerations.